Network security system and methods for encoding network connectivity for activity classification

ABSTRACT

Aspects are generally directed to network security systems and methods of monitoring network activity. In one example, a network security system includes and interface to receive a Hypertext Transfer Protocol (HTTP) network log that includes a matrix of data, a feature extraction component configured to extract a connectivity matrix from the HTTP network log based on a recurring pattern within the matrix of data, and a training module configured to provide deep learning architecture training data based on the connectivity matrix. The system may include a deep learning architecture configured to receive and propagate the training data through one or more layers thereof to train the one or more layers, and being configured to generate a general data representation of the HTTP network log. The system may include a behavior analytics component to detect a discordant network activity within the HTTP network log based on the general data representation.

BACKGROUND

Hypertext Transfer Protocol (HTTP) is an application protocol forexchanging or transferring hypertext. HTTP is a stateless protocol thatpermits communication between a variety of clients and hosts. Inparticular, HTTP is a request-response protocol by which a clientsubmits an HTTP request, and a host returns a response. Often the hostprovides a message, content, or other functionality for the client. Inmany cases, HTTP network logs may be generated to track one or moreaspects of communication between a client and a host. In particular,HTTP network logs may include internet protocol (IP) addresses,timestamps, HTTP code, and page requests, among other information.

SUMMARY OF THE INVENTION

Various aspects and examples described herein provide network securitysystems and related methods. In one example, provided is a networksecurity system that trains a deep learning architecture based on aHypertext Transfer Protocol (HTTP) connectivity matrix that is extractedfrom one or more HTTP network logs. In particular, the network securitysystem may provide training data based on the HTTP connectivity matrixsuch that the deep learning architecture may generate a general datarepresentation of the HTTP network log. The network security system maythen use the general data representation to detect one or morediscordant network activities within the HTTP network log. Such examplesmay be used to protect a network, client, and/or host against maliciousnetwork activity and/or behavior.

According to an aspect, provided is a network security system. In oneexample, the network security system comprises a system interface toreceive a Hypertext Transfer Protocol (HTTP) network log, the HTTPnetwork log including a matrix of data arranged by at least one fieldand a time bin, a feature extraction component coupled to the systeminterface, the feature extraction component configured to extract aconnectivity matrix from the HTTP network log based at least in part ona recurring behavioral pattern within the matrix of data, and a trainingmodule coupled to the feature extraction component, the training modulebeing configured to provide deep learning architecture training databased on the connectivity matrix. The network security system may alsocomprise a deep learning architecture having one or more layers, thedeep learning architecture configured to receive the deep learningarchitecture training data and propagate the deep learning architecturetraining data through the one or more layers to train the one or morelayers, and the deep learning architecture being configured to receivethe HTTP network log and generate a general data representation of theHTTP network log. A behavior analytics component may be coupled to thedeep learning architecture and configured to detect a discordant networkactivity within the HTTP network log based on the general datarepresentation of the HTTP network log.

According to various examples, the deep learning architecture is astacked autoencoder, each layer of the one or more layers being a sparseautoencoder. In various examples, the behavior analytics component isconfigured to detect the discordant network activity in the HTTP networklog by detecting a deviation from the recurring behavioral pattern. Forexample, the recurring behavioral pattern may be a reoccurringconnection between a source Internet Protocol (IP) address and adestination IP address.

In various examples, the HTTP network log is a first HTTP network logfor a single computer user, and the feature extraction component isconfigured to generate the connectivity matrix from the first HTTPnetwork log based at least in part on a source Internet Protocol (IP)address of the single computer user, one or more destination IPaddresses, and the time bin. In some examples, rows in the connectivitymatrix indicate the source IP address of the single computer user andthe time bin, and columns in the connectivity matrix indicate the one ormore destination IP addresses. In various examples, a value within eachcell of the connectivity matrix indicates a number of connectionsbetween at least the source IP address of the single computer user andan individual destination IP address of the one or more destination IPaddresses. In some examples, the training module is further configuredto interpolate values into zero-valued cells in the connectivity matrix.

According to various examples, the behavior analytics component isfurther configured to classify contents of the general datarepresentation of the HTTP network log as human-initiated activity ormachine-initiated activity, and the discordant activity within the HTTPnetwork log is a first machine-initiated activity. In various examples,the HTTP network log is a HTTP network log for a plurality of computerusers, and the behavior analytics component is further configured togroup each of the plurality of computer users within one of a pluralityof user classes based on the contents of the general data representationof the HTTP network log.

According to another aspect, provided is a method of monitoring networkactivity. In one example, the method comprises receiving a HypertextTransfer Protocol (HTTP) network log, the HTTP network log including amatrix of data arranged by at least one field and a time bin, extractinga connectivity matrix from the HTTP network log based at least in parton a recurring behavioral pattern within the matrix of data, providingdeep learning architecture training data to a deep learningarchitecture, the deep learning architecture training data being basedon the connectivity matrix, receiving the deep learning architecturetraining data at the deep learning architecture, and propagating thedeep learning architecture training data through one or more layers ofthe deep learning architecture to train the one or more layers, at thedeep learning architecture, generating a general data representation ofthe HTTP network log, and detecting a discordant network activity withinthe HTTP network log based on the general data representation of theHTTP network log.

According to various examples, receiving the HTTP network log includesreceiving a first HTTP network log for a single computer user, andextracting the connectivity matrix includes extracting the connectivitymatrix from the first HTTP network log based at least in part on asource Internet Protocol (IP) address of the single computer user, oneor more destination IP addresses, and the time bin. In various examples,rows in the connectivity matrix indicate the source IP address of thesingle computer user and the time bin, and columns in the connectivitymatrix indicate the one or more destination IP addresses. In someexamples, a value within each cell of the connectivity matrix indicatesa number of connections between at least the source IP address of thesingle computer user and an individual destination IP address of the oneor more destination IP addresses. In various examples, the methodfurther comprises interpolating values into zero-valued cells in theconnectivity matrix.

According to various examples, the method further comprises classifyingcontents of the general data representation of the HTTP network log ashuman-initiated activity or machine-initiated activity, and thediscordant activity within the HTTP network log is a firstmachine-initiated activity. In various examples, receiving the HTTPnetwork log includes receiving a HTTP network log for a plurality ofcomputer users, and the method further comprises grouping each of theplurality of computer users within one of a plurality of user classesbased on the contents of the general data representation of the HTTPnetwork log. In various examples, the method further comprises groupingeach of the plurality of computer users within one of a plurality ofuser classes based on the contents of the general data representation ofthe HTTP network log.

According to various examples, detecting the discordant internetactivity in the HTTP network log includes detecting a deviation from therecurring behavioral pattern. In various examples, the recurringbehavioral pattern is a reoccurring connection between a source InternetProtocol (IP) address and a destination IP address.

Still other aspects, embodiments, and advantages of these exemplaryaspects and examples are discussed in detail below. Embodimentsdisclosed herein may be combined with other embodiments in any mannerconsistent with at least one of the principles disclosed herein, andreferences to “an embodiment,” “some embodiments,” “an alternateembodiment,” “various embodiments,” “one embodiment” or the like are notnecessarily mutually exclusive and are intended to indicate that aparticular feature, structure, or characteristic described may beincluded in at least one embodiment. The appearances of such termsherein are not necessarily all referring to the same embodiment. Variousaspects and examples described herein may also include means forperforming any of the described methods or functions.

BRIEF DESCRIPTION OF THE DRAWINGS

Various aspects of at least one embodiment are discussed below withreference to the accompanying figures, which are not intended to bedrawn to scale. The figures are included to provide illustration and afurther understanding of the various aspects and embodiments, and areincorporated in and constitute a part of this specification, but are notintended as a definition of the limits of the invention. In the figures,each identical or nearly identical component that is illustrated invarious figures is represented by a like numeral. For purposes ofclarity, not every component may be labeled in every figure. In thefigures:

FIG. 1 is a block diagram of a network security system receiving aHypertext Transfer Protocol (HTTP) network log, according to variousexamples described herein;

FIG. 2 is a visualization of a connectivity matrix, according to variousexamples described herein;

FIG. 3 is a block diagram of a deep learning architecture, according tovarious examples described herein;

FIG. 4 is a process flow for monitoring network activity, according tovarious examples described herein;

FIG. 5A-5B is a more detailed process flow for monitoring networkactivity, according to various examples described herein; and

FIG. 6 is a block diagram of a computing system, according to variousexamples described herein.

DETAILED DESCRIPTION

Various aspects and examples described herein provide network securitysystems and related methods. Certain examples are directed to a networksecurity system that aggregates HTTP network log information andextracts a connectivity matrix based at least in part on a recurringbehavioral pattern within the HTTP network log. Based on theconnectivity matrix, the network security system provides training datato train a deep learning architecture (e.g., a stacked autoencoder). Thetrained deep learning architecture may then generate a general datarepresentation of the HTTP network log information that can be used todetect one or more discordant network activities within the HTTP networklog. In particular, examples of the network security systems and relatedmethods described herein may be utilized to recognize patterns of userbehavior, recognize patterns of machine behavior, and/or detectactivities and/or behavior that is unusual and may be harmful to acomputing system or network.

Protecting a network (e.g., LANs, WANS, extranets, intranets, cloudcomputing systems, and etc.) from malicious threats and behavior is ofparamount interest in the realm of computer networks. Typical networksecurity systems rely on blacklists (also known as block lists) and/orwhitelists to control malicious network activity or behavior. Typically,a blacklist blocks network access for all items (e.g., URLs, IPaddresses, domain names, etc.) listed in that blacklist. In contrast, awhitelist only permits network access for items listed in thatwhitelist. While blacklists are effective in controlling known maliciousactivity and behavior, zero-day threats and new forms of maliciousactivity often go undetected, or temporarily undetected. Whilewhitelists resolve some of shortcomings of blacklists, whitelists can beover-inclusive and may block otherwise acceptable network activity.

Various aspects and implementations described herein address theshortcomings of blacklists, whitelists, and other known network securityapproaches. Particular examples of the described network securitysystems actively learn and predict malicious activity and behavior basedon one or more learned patterns in HTTP network logs. In addition toproviding improved accuracy and responsiveness when compared to othersecurity approaches, various aspects of the network security systems andmethods described herein may permit real-time adjustments andmodifications of the network activity being monitored. Accordingly, thenetwork security systems and methods described herein improve thefunctionality of prior network security systems while also offeringfunctionality that is not currently available.

It is to be appreciated that embodiments of the systems and methodsdiscussed herein are not limited in application to the details ofconstruction and the arrangement of components set forth in thefollowing description or illustrated in the accompanying drawings. Thesystems and methods are capable of implementation in other embodimentsand of being practiced or of being carried out in various ways. Examplesof specific implementations are provided herein for illustrativepurposes only and are not intended to be limiting. Also, the phraseologyand terminology used herein is for the purpose of description and shouldnot be regarded as limiting. The use herein of “including,”“comprising,” “having,” “containing,” “involving,” and variationsthereof is meant to encompass the items listed thereafter andequivalents thereof as well as additional items. References to “or” maybe construed as inclusive so that any terms described using “or” mayindicate any of a single, more than one, and all of the described terms.Any references to front and back, left and right, top and bottom, upperand lower, and vertical and horizontal are intended for convenience ofdescription, not to limit the present systems and methods or theircomponents to any one positional or spatial orientation.

FIG. 1 illustrates a network security system 100 according to variousexamples described herein. As illustrated in FIG. 1, the networksecurity system 100 may include a system interface 102, a featureextraction component 104, a training module 106, and a deep learningarchitecture 108, among other components. For example, in someinstances, the network security system 100 may also include a behavioranalytics component 110 (shown in ghost lines). Each of the systeminterface 102, the feature extraction component 104, the training module106, the deep learning architecture 108, the behavior analyticscomponent 110, and the other components of the network security system100 may be a specialized hardware component. For instance, eachcomponent may be composed of an array of logic blocks. In particular,each component may implemented by an array of transistors arranged in anintegrated circuit that provides a performance and power consumptionsimilar to an ASIC (application-specific integrated circuit).

In some other examples, each of the system interface 102, the featureextraction component 104, the training module 106, the deep learningarchitecture 108, the behavior analytics component 110, and the othercomponents of the network security system 100 may be a specializedsoftware component executing within, or executed by, a computing system,such as the computing system 600 shown and further described below withreference to at least FIG. 6. In other examples, the system interface102, the feature extraction component 104, the training module 106, thedeep learning architecture 108, the behavior analytics component 110,and the other components of the network security system 100 may be aspecialized hardware component or specialized software component, orcombination thereof, provisioned between multiple computing systems in adistributed computer network.

Each of the system interface 102, the feature extraction component 104,the training module 106, the deep learning architecture 108, thebehavior analytics component 110, and the other components of thenetwork security system 100 may be may be coupled by an interconnectionelement, such as a bus, network, or other connection for exchanging dataand/or instructions. The bus may include one or more physical busses andmay include any communication coupling between system componentsincluding specialized or standard computing bus technologies. Thus, thebus enables communications (for example, data and instructions) to beexchanged between components of the network security system 100.

As illustrated in FIG. 1, the network security system 100 may receive aHTTP network log (represented generally by a matrix 112) at the systeminterface 102. The system interface 102 may include one or more inputdevices, one or more output devices, or a combination of input andoutput devices. That is, the system interface 102 allows the networksecurity system 100 to exchange information and communicate with usersand other systems. The system interface 102 may exchange data via anetwork connection using one or more of a variety of methods, protocols,and standards. For instance, the network connection may be a LAN, WAN,extranet, intranet, or cloud computing system, to name a few examples.As discussed, HTTP network logs may include a matrix of data thatcorresponds to one or more requests received by a host (e.g., and sentby a client) and/or data that corresponds to one more responses receivedby a client (e.g., and provided by a host).

In some particular examples, the HTTP network log received by the systeminterface 102 may include a matrix of data that is arranged by one ormore fields and a time bin. For instance, FIG. 1 shows the matrix 112representing the received HTTP network log as including data arranged inrows and columns. Each row may represent a particular request, and eachcolumn may represent a particular field. Accordingly, in FIG. 1, eachrow is shown as having a different time bin (e.g., date and time). Inthe illustrated matrix, the columns are representative of the time stamp(e.g., date and time; e.g., column 114), a source Internet Protocol (IP)address (e.g., client IP address; e.g., column 116), a destination IPaddress (e.g., server address; e.g., column 118), and a URL addressrequested by the client (e.g., column 120).

While FIG. 1 illustrates one example of a HTTP network log, in variousother examples, the system interface 102 may receive a HTTP network loghaving different fields of data. That is, the columns illustrated anddescribed with reference to HTTP network log of FIG. 1 are merelyprovided for the purpose of explanation, and in other examples, otherrows, columns, and formats may be used. For instance, in one example,the HTTP network log may have a column for destination IP categories(e.g., sorted by Uniform Resource Indicator (URI)). In other examples,HTTP network logs may include data size, ports, additional IP addresses,and messages, among a variety of other information. Moreover, while asingle HTTP network log is described herein for the purpose ofexplanation, in practice, the security network system 100 may receive amultitude of HTTP network logs. For instance, over one hundred HTTPnetwork logs may correspond to a single website search performed by auser's personal computer. Accordingly, the system interface 102 maycontinuously or discretely receive more than one HTTP network log, andin many instances, may receive a large volume of HTTP network logs.

In some examples, the format of the HTTP network log may be based on theparticular network activity that is being monitored by the networksecurity system, as further described below. Moreover, while FIG. 1illustrates the system interface 102 as receiving the HTTP network logfrom an external system, in other examples, the network security system100 may have one or more specialized hardware or software componentsthat track client requests and/or host responses to dynamically generatethe HTTP network log. In such an example, the system interface 102 mayserve as an interface between the HTTP network log generating componentand the feature extraction component 104. The system interface 102 mayalso be coupled to a storage element (e.g., a volatile storage or anon-volatile storage) and retrieve the HTTP network log from the storageelement.

The feature extraction component 104 is coupled to the system interface102 and is configured to extract a connectivity matrix from the HTTPnetwork log. In many cases, the HTTP network log may include a largedata set with no “ground truth” (i.e., verified starting information)regarding malicious network activity and/or behavior. That is, as aresult of the size and disparate nature of the data within the HTTPnetwork log, the HTTP network log merely offers inferences of maliciousnetwork activity and/or behavior, as opposed to direct empiricalevidence. Accordingly, the feature extraction component 104 may extracta connectivity matrix from the HTTP network log based at least in parton a recurring behavioral pattern within the matrix of data. In manyinstances, the recurring behavioral pattern may be a reoccurrence of aparticular item within the HTTP network log. In other examples, therecurring behavioral pattern is a correlation between one or moreentries within the HTTP network log. For instance, the recurringbehavioral pattern may be a reoccurring connection between a sourceInternet Protocol (IP) address and a destination IP address.

The connectivity matrix may then be used to generate deep learningarchitecture training data to train a deep learning architecture 108.For instance, referring to FIG. 1, the feature extraction component 104may be configured to generate the connectivity matrix from theillustrated HTTP network log based at least in part on the sourceInternet Protocol (IP) address, a destination IP address (e.g., serveraddress), and the time bin. In some other examples, the featureextraction component 104 may be configured to extract the connectivitymatrix from the HTTP network log based on one or more destination IPcategories. Destination IP categories may refer to a categorization of adestination IP address, which may be categorized based on source,content, frequency of access, and/or threat level, to name a fewexamples.

In at least one example, the connectivity matrix is a datarepresentation that connects otherwise disparate data within the HTTPnetwork log. In particular, relative to the HTTP network log, theconnectivity matrix may be targeted to a particular field or datasub-set within the HTTP network log, and therefore contain a relativelysmaller and concentrated amount of data relative to the entire HTTPnetwork log. For instance, in one example, the connectivity matrix mayinclude a plurality of rows and columns in which the rows are indicativeof one data sub-set from the HTTP network log, and the columns arerepresentative of another data sub-set from the HTTP network log. Cellswithin the connectivity matrix may include a value representative of theconnection or connections between the data sub-set of a particular rowand the data sub-set of a particular column.

For purposes of explanation, rows within the connectivity matrix may berepresentative of the source IP address of a single computer user andthe time bin corresponding to a request, and the columns may berepresentative of destination IP addresses. In such an example, a valuewithin each cell of the connectivity matrix indicates the amount ofconnections between the source IP address of the single computer user,and an individual one of the destination IP addresses. In someinstances, the connectivity matrix may be sparse. That is, theconnectivity matrix may include multiple cells where no connectionexists. In these cells, a zero value may represent the absence of aconnection. In these instances, one or more components of the networksecurity system 100 may interpolate values into the zero-valued cells.In one example, these operations may be performed by the training module106. FIG. 2 illustrates one example visualization of a connectivitymatrix 200.

In FIG. 2, the connectivity matrix 200 is a data representation thatshows the network traffic between a set of source IP values (e.g.,addresses) and a set of destination IP values (e.g., addresses). In FIG.2, the rows 204 are representative of the source IP values (e.g., SourceIP A, Source IP B, Source IP C, etc.), and the columns 202 arerepresentative of the destination IP values (e.g., Destination IP X,Destination IP Y, Destination Z, etc.). As further shown in FIG. 2, eachparticular cell 206 within the connectivity matrix 200 is descriptive ofthe connection between a source IP value and a destination IP value. Inparticular, each cell 206 is shown as being descriptive of the totalbytes of data exchanged between the corresponding source IP value andthe corresponding destination IP value at a particular time bin. Forinstance, the cell 206 corresponding to Source IP A and Destination IP Xincludes 300 kb at Dec. 10, 2017 12:10. It is appreciated that FIG. 2merely offers one example of a connectivity matrix for the purpose ofexplanation, and in the other examples described herein, a connectivitymatrix may include additional or other information that than explicitlyillustrated in FIG. 2.

Returning to FIG. 1, the feature extraction component 104 may be coupledto the training module 106, and may provide the connectivity matrix tothe training module 106. The training module 106 is configured toprovide deep learning architecture training data (also referred toherein generally as “training data”) to the deep learning architecture108 based on the connectivity matrix. As also shown in FIG. 1, thenetwork security system 100 may include a deep learning architecture 108to receive the training data and the HTTP network log. The deep learningarchitecture 108 may have one or more layers, and may propagate thetraining data through the one or more layers to train the one or morelayers. Based on the continued learning of the deep learningarchitecture 108, and the received HTTP network log, the deep learningarchitecture 108 may generate a general data representation of the HTTPnetwork log. As further described with reference to the behavioranalytics component 110, the general data representation may be used todetect a discordant network activity within the HTTP network log. Inmany cases, the discordant network activity corresponds to, or isindicative of, malicious network activity or behavior

Referring to FIG. 3, illustrated is a block diagram of one particularexample of the deep learning architecture 108. In various examples, thedeep learning architecture 108 implements a deep learning method tolearn a data representation of the HTTP network log, and generate ageneral data representation. As discussed herein, the general datarepresentation is a reduction and extraction of data from the HTTPnetwork log that is suitable for recognizing patterns of networkactivity or behavior. That is, the general data representation is alow-dimensional and dense representation of HTTP network log data thatis dimensionally reduced when compared with the HTTP network log.

As shown in FIG. 3, the deep learning architecture 108 may be a neuralnetwork including one or more cascaded layers of “neurons”. Each neuronis a computational unit that receives an input and generates an outputbased at least in part on an activation function for that neuron. In oneexample, and as illustrated, the deep learning architecture 108 may be astacked autoencoder. Each layer of the stacked autoencoder may be asparse autoencoder. In the illustrated example, the deep learningarchitecture 108 has an input layer 300, an output layer 304, and one ormore intermediate layers (e.g., “hidden” layers) 302 a-c (generallyreferred to as “intermediate layers 302”). Intermediate layers 302 areinterposed between the input layer 300 and the output layer 304. Eachlayer of the deep learning architecture 108 uses output(s) from theimmediately preceding layer as input(s). In FIG. 3, the deep learningarchitecture 108 has five input units 308, four intermediate units 310,and five output units 312. However, it is appreciated that in variousother examples other arrangements may be used. In many instances, thetraining data is the input(s) at the input layer of the deep learningarchitecture 108.

As shown in FIG. 3, for each input of training data, the deep learningarchitecture 108 may propagate the training data through the one or morelayers to train the one or more layers. That is, the training data maybe propagated from the input layer 300, through the intermediate layers302, to obtain an output at the output layer 304. A deviation betweenthe input and the output may then be back-propagated through the one ormore layers to update and train the one or more layers.

Returning to FIG. 1, and with continuing reference to FIG. 3, aspreviously described, in various examples the deep learning architecture108 receives the training data derived from the connectivity matrix asinput(s) at the input layer 300. That is, in various examples, the inputlayer 300 of the deep learning architecture 108 may receive a matrixincluding an array of cells that each has a value representative of theconnection or connections between the data sub-set of a particular rowand the data sub-set of a particular column of the connectivity matrix.As further illustrated in FIG. 1, the deep learning architecture 108 mayalso receive the HTTP network log and generate a general datarepresentation. In various examples, the deep learning architecture 108groups the encoded data of the general data representation intoclusters. In one example, the clusters may be based on time of day, suchas morning, noon, evening, and night-time. In other examples, theclusters may be based on other aspects of network activity havingsimilar characteristics.

As discussed, the deep learning architecture 108 may be a stackedautoencoder. In particular examples, the stacked autoencoder may performthe dimensionality reduction of the HTTP network log. In one example,the intermediate layers of the deep learning architecture 108, such asthose illustrated in FIG. 3, include a plurality of encode layers thatprovide a successively lower-dimensional output relative to thedimensionality of the HTTP network log. In such an example, the deeplearning architecture 108 includes a plurality of decode layers thatprovide a successively higher-dimensional output relative to thedimensionality of the encode layer output. The output of deep learningarchitecture 108 is evaluated against the input to train the deeplearning architecture 108. That is, the decode layers are trained toreconstruct the received input (the HTTP network log in this example),and the encode layers are trained to learn a low-dimensional datarepresentation and allows an accurate reconstruction of the input. Asdiscussed, the trained encode layers may be used for preprocessing forother learning tasks. For example, entries within a connectivity matrixmay be used to train the stacked autoencoder, which when trained, couldencode a vector of byte counts for various destination IP addresses intoa relatively smaller, dense vector.

In various examples, the behavior analytics component 110 is coupled tothe deep learning architecture 108 to receive the general datarepresentation. The behavior analytics component 110 is configured todetect a discordant network activity within the HTTP network log basedon the general data representation of the HTTP network log. As discussedherein, in various examples, the discordant network activity is one ormore network activities that are a deviation from a recurring behavioralpattern in the HTTP network log. In some cases, the deviation is amalicious network activity or behavior, or is indicative of a maliciousnetwork activity or behavior. The malicious network activity may beunauthorized network access, unauthorized data access, and/orexfiltration, among other malicious network activity or behavior.

For instance, if the recurring behavioral pattern is a reoccurringconnection between a source Internet Protocol (IP) address and adestination IP address, the discordant network activity may be a newconnection between the same or another source Internet Protocol (IP)address and a different destination IP address. In another example, ifthe recurring behavioral pattern is a reoccurring connection between asource IP address and a destination IP address during a particular timeof day (e.g., morning), the discordant network activity may be aconnection between the source IP address and the destination IP addressduring a different time of day (e.g., night-time). In another example,if the recurring behavioral pattern is recurring network activity at aparticular time of day, the discordant network activity may be networkactivity at a different time of day. In still other examples, thediscordant network activity may be based on the amount of data orinformation transferred. For instance, the discordant network activitymay be a large data exchange compared to a typical behavior ofrelatively smaller data exchanges.

As malicious network activity or behavior becomes more circumspect,detection may require greater focus. For instance, a small series ofunauthorized data exchanges each with a different destination IP addressover a long period of time may be more challenging to detect than overtdiscordant network activity. For more discreet malicious networkactivity and behavior, the deep learning architecture 108 may becontinuously trained and adjusted over time. For instance, the deeplearning architecture 108 may be used to provide a model trained fromnetwork connectivity data and historically unused IP destinationaddresses over a specified time scale. In some examples, the behavioranalytics component 110 may provide the detected discordant activity(and related encoded data) for interaction, such as for interaction withusers and other systems (shown generally as output 122). While in oneexample, visual and/or auditory alerts may be generated, in otherexamples, the raw encoded data may be presented for interaction (e.g.,via one or more graphical user interfaces).

The behavior analytics component 110 may be further configured toclassify and/or group contents of the general data representation of theHTTP network log. In some examples, this may include identifying andclassifying the one or more clusters within the general datarepresentation. Classifications may then be used to detect discordantnetwork activities within a subsequent HTTP network log. For example,the behavior analytics component 110 may be configured to classifycontents of the general data representation as human-initiated activityor machine-initiated activity. Human-initiated activity corresponds tonetwork activity that results from a computer user's interactions withthe computer. In contrast, machine-initiated activity corresponds toautonomous network activity performed by the computer itself, a softwarecomponent executing on the computer, or one or more computing systemsthat communicate with the computer. In such an example, the recurringbehavioral pattern may correspond to human-initiated activity and thediscordant activity detected by the behavior analytics component may bea machine-initiated activity.

In certain examples, the HTTP network log is a HTTP network log for aplurality of computer users, and the behavior analytics component 110 isconfigured to group each of the plurality of computer users within oneor more of a plurality of user classes based on the contents of thegeneral data representation. For instance, the behavior analyticscomponent may analyze one or more clusters in the general datarepresentation and classify a user according to that user's networkprivileges. For example, users may be assigned to one or more userclasses, such as employee, manager, or administrator. In such anexample, the behavior analytics component 110 may be configured todetect a discordant activity based on a detected network activity thatis discordant from the permitted network activity associated with a userclass. That is, if a user is classified as an employee, but isperforming network activity reserved for an administrator, the behavioranalytics component 110 may identify that network activity as adiscordant activity. For example, this activity may include downloadingand installing software, altering network configurations (e.g., activedirectories or network ports), or attempting to access secured devicesor drives.

As discussed above, in certain examples, the feature extractioncomponent 104 may be controlled to dynamically adjust the featureextraction and parameterization features of the connectivity matrix.That is, the feature extraction component 104 may dynamically adjust theconnectivity matrix to represent different aspects of the HTTP networklogs. Adjustment of the data sub-sets represented within connectivitymatrix will generate a new connectivity matrix, which results in newtraining data for the deep learning architecture 108. Based on the newtraining data, the deep learning architecture 108 generates an evolvinggeneral data representation of the HTTP network log. Based on theevolving general data representation, the behavior analytics component108 may provide user-level behavior analytics. In particular, theuser-level behavior analytics may continuously evolve to accuratelyrepresent changing network activity. In various examples, the networksecurity system 100 may receive one or more user commands to adjust theconnectivity matrix (e.g., extract and/or adjust fields). However, inother examples, such adjustments may be made automatically by thenetwork security system 100 itself. Adjustments may also be made to theconnectivity matrix to train the deep learning architecture 108 totarget particular network activity, such as discrete malicious activity.Such adjustments may include tailoring the rows and/or columns of theconnectivity matrix to include historically unused destination IPaddresses, to name one example.

As discussed above with reference to at least FIGS. 1-3, variousexamples perform processes to monitor network activity. These processesmay be performed by a network security system, or one or more componentsof a network security system, such as the network security system 100illustrated in FIG. 1. One example of a process according to variousaspects described herein is illustrated in FIG. 4. FIG. 4 is describedwith continuing reference to at least FIGS. 1, 2, and 3. As illustratedin FIG. 4, the process 400 may include acts of receiving a network log(e.g., a HTTP network log), extracting a connectivity matrix, providingtraining data to a deep learning architecture, training the deeplearning architecture, generating a general data representation of theHTTP network log, and detecting a discordant activity (e.g., maliciousnetwork activity) within, or evidenced by, the HTTP network log.

In act 402, the process 400 includes receiving a HTTP network log. Forinstance, the HTTP network log may be received at the system interface102 of the network security system 100 illustrated in FIG. 1. Aspreviously discussed, the HTTP network log includes a matrix of dataarranged by one or more fields and a time bin. In act 404, the process400 includes extracting a connectivity matrix from the HTTP network logbased at least in part on a recurring behavioral pattern within thematrix of data. In many examples, the particular features and/orparameters extracted from the HTTP network log to form the connectivitymatrix are selected by a user of the network security system 100.However, in some examples, the features and/or parameters may bedynamically selected by the network security system 100 itself. Theconnectivity matrix may then be used to generate deep learningarchitecture training data to train the deep learning architecture 108.

In act 406, the process 400 includes providing training data to the deeplearning architecture 108. As discussed, the training data is based onthe particular connectivity matrix extracted by the feature extractioncomponent 104. In various examples, the training module 106 of thenetwork security system 100 provides the training data. As describedwith reference to at least FIG. 1, the network security system 100 mayinclude a deep learning architecture 108 to receive the training dataand the HTTP network log. In various examples, the deep learningarchitecture 108 may have one or more layers. In act 408, the process400 includes receiving the deep learning architecture training data atthe deep learning architecture 108, and propagating the deep learningarchitecture training data through the one or more layers of the deeplearning architecture 108 to train the one or more layers. Based on thecontinued learning of the deep learning architecture 108, and thereceived HTTP network log, the process 400 may include generating ageneral data representation of the HTTP network log (act 410).

In act 412, the process 400 includes detecting a discordant networkactivity within the HTTP network log based on the general datarepresentation of the HTTP network log. As discussed herein, the generaldata representation is a reduction and extraction of data from the HTTPnetwork log that is suitable for recognizing patterns of networkactivity and behavior. That is, the general data representation is alow-dimensional and dense representation of HTTP network log data thatis dimensionally reduced when compared with the HTTP network log. Inmany examples, the discordant network activity is malicious networkactivity or behavior, or, network activity that is indicative ofmalicious activity or behavior.

FIG. 5A-5B illustrates a more detailed process flow of a process formonitoring network activity. Accordingly, FIG. 5A-5B includes many actsthat are similar to the acts that were previously described withreference to FIG. 4. The acts of FIG. 5A-5B may be performed by anetwork security system, or one or more components of a network securitysystem, such as the network security system 100 illustrated in FIG. 1.Accordingly, FIG. 5A-5B is described with continuing reference to thenetwork security system 100 of FIG. 1.

In act 502, similar to act 402 of FIG. 4, the process 500 may includereceiving a HTTP network log. While in one example, the HTTP network logmay be received at the system interface 102 of the network securitysystem 100 via an external network connection, in some examples, theHTTP network log may be received from a data storage element or anothercomponent of the network security system 100. For instance, the HTTPnetwork log may be received from one or more specialized hardware orsoftware components that generate the HTTP network log. While the systeminterface 102 is described as receiving a single HTTP network log, inother examples, multiple HTTP network logs may be received by the systeminterface 102 in act 502. The multiple network logs may be receivedsequentially or concurrently.

In act 504, the process 500 may include extracting a connectivity matrixfrom the HTTP network log based at least in part on a recurringbehavioral pattern within the matrix of data of the HTTP network log. Aspreviously discussed with reference to at least FIG. 1, the connectivitymatrix, relative to the HTTP network log, may be targeted to aparticular field or data sub-set within the HTTP network log.Accordingly, the connectivity matrix may contain a comparatively smallerand concentrated amount of information relative to the HTTP network log.Accordingly, act 504 may include sub-acts 506 and 508 illustrated inFIG. 5. In sub-act 506 the process 500 may include extracting one ormore features or parameters from the HTTP network log. For instance, act506 is shown as including the act of extracting the one or more sourceInternet Protocol (IP) addresses and one or more destination IPaddresses from the HTTP network log.

As previously discussed, the connectivity matrix may include a pluralityof rows and columns in which the rows are indicative of one data sub-setfrom the HTTP network log, and the columns are representative of anotherdata sub-set from the HTTP network log. Cells within the connectivitymatrix may include a value representative of the connection orconnections between the field of a particular row and the field of aparticular column. As such, in sub-act 508, the process 500 may includeformatting the extracted parameters and/or features in one or more rowsand columns to provide the connectivity matrix.

In some instances, the connectivity matrix may be sparse. That is, theconnectivity matrix may include multiple cells where no connectionsexist. If one or more zero-valued cells are present within theconnectivity matrix, the process 500 may include interpolating valuesinto those zero-valued cells in the connectivity matrix (act 510). Inone example, these operations may be performed by the training module106. For example, in some situations, the training module 106 mayinterpolate a default value into zero-valued cells. This may be the casewhen there is no network traffic and no connection was observed. Inthese situations, a zero may be the default value.

However, in other situations, an incomplete connectivity matrix mayresult from an incomplete HTTP network log. For instance, technicalissues may result in a time interval for which no information isrecorded in a received HTTP network log. In these situations, theabsence of information in the HTTP network log does not necessarilycorrelate with an absence of network activity. Accordingly, in variousexamples, the training module 106 may use linear interpolation to“fill-in” the sparse connectivity matrix based at least on similar HTTPnetwork logs. For instance, for a given source IP address over a missingtime period, the training module 106 may find a vector of historicaldestination IP connections for that source IP address at that missingtime of day in a past HTTP network log. The training module 106 may,similarly, find a vector of future destination IP connections for thatsource IP address at that missing time of day in a future HTTP networklog, and use an average (weighted by distance in time) of those vectorsas a proxy for the missing information.

In act 512, the process 500 may include providing deep learningarchitecture training data based on the connectivity matrix.Specifically, training data may be used to train a deep learningarchitecture, such as the deep learning architecture 108 illustrated inFIG. 1 and FIG. 3 (act 514). As shown in FIG. 5, act 514 may includesub-act 516, and in some examples, sub-act 518. In sub-act 516, theprocess 500 includes propagating the training data through the one ormore layers of the deep learning architecture 108 to train the one ormore layers. For instance, this may include propagating the trainingdata as one or more inputs from the input layer 300, through the one ormore intermediate layers (e.g., “hidden” layers) 302, to obtain anoutput at an output layer 304. In sub-act 518, the process 500 mayinclude back-propagating a deviation between the output of the outputlayer 304, and the input (e.g., the training data), through the one ormore layers to update and train the one or more layers.

In various examples, the process 500 may include receiving the HTTPnetwork log at the deep learning architecture 108, and generating ageneral data representation of the HTTP network log (act 520). Asdiscussed herein, the general data representation is a reduction andextraction of data from the HTTP network log that is suitable forrecognizing patterns of network activity and behavior. That is, thegeneral data representation is a low-dimensional and denserepresentation of HTTP network log data that is dimensionally reducedwhen compared with the HTTP network log. In some examples, act 520 mayinclude generating a general data representation in which thecorresponding encoded data is grouped into one or more clusters.

In act 522, the process 500 may include detecting a discordant networkactivity within the HTTP network log based on the general datarepresentation of the HTTP network log. In many cases, act 522 includesdetecting malicious network activity or behavior, or detecting activityindicative of (e.g., associated with) malicious activity or behavior. Insome examples, act 522 includes sub-acts 524 and 526. In other examples,act 522 includes sub-acts 528 and 530.

In sub-act 524, the process 500 may include classifying the contents ofthe general data representation (e.g., the encoded data). In particular,sub-act 524 may include classifying the one or more clusters of thegeneral data representation. For instance, sub-act 524 may includeclassifying the contents of the general data representation based on thesource that initiated the activity, for instance, as human-initiatedactivity or as machine-initiated activity. Based on the classifiedcontents of the general data representation, the process 500 may includedetecting the discordant activity within the HTTP network log based onan unexpected deviation in classification at a particular time bin (act526).

In certain examples, the HTTP network log is a HTTP network log for aplurality of computer users, and the process 500 may include groupingeach of the plurality of computer users within one of a plurality ofuser classes based on the contents of the general data representation(act 528). For instance, the process 500 may include analyzing one ormore clusters in the general data representation and classifying a useraccording to that user's network privileges. For example, users may beassigned to one or more user classes, such as employee, manager, andadministrator. In such an example, detecting the discordant networkactivity may include detecting a discordant activity based on detectednetwork activity that is inconsistent the permitted network activityassociated with a user class (act 530). While not explicitly illustratedor described with reference to FIG. 5, in various other examples, theprocess 500 may include other acts and/or sub-acts. Such acts and/orsub-acts are described herein with reference to at least the networksecurity system 100 illustrated in FIG. 1.

As discussed above with reference to FIG. 1, in some examples, one ormore components of the network security system 100 may be implemented asa software component executing on a specialized computing system, orprovisioned as one or more instances among a plurality of specializedcomputing systems. FIG. 6 shows a block diagram of one example of aspecialized computing system 600, in which various aspects and functionsin accord with the present systems and methods may be practiced. Thatis, FIG. 6 illustrates a computing system 600 that can be speciallyconfigured to perform the functions, operations, and/or processesdisclosed herein (e.g., functions of the system interface 102, featureextraction component 104, training module 106, deep learningarchitecture 108, and/or behavior analytics component 110 shown in FIG.1).

The computing system 600 may be interconnected and may communicate withone or more additional computing systems 602, 604, and may exchange datathrough a communication network 616. The network 616 may include anycommunication network through which computer systems may exchange data.To exchange data via the network 616, the computing systems 600, 602,604 and the network 616 may use various methods, protocols, andstandards including, among others, HTTP.

Various aspects and functions in accord with the discussed networksecurity system may be implemented as specialized hardware or softwareexecuting in one or more computer systems including the computing system600 shown in FIG. 6. As depicted, the computing system 600 includes aprocessor 606, a memory 614, a bus 608, one or more interfaces 610, anda storage system 612. The processor 606, which may include one or moremicroprocessors or other types of controllers, can perform a series ofinstructions that manipulate data. The processor 606 may be, forexample, a commercially available processor or controller. As shown, theprocessor 606 is connected to other system components, including thememory 614, by the bus 608.

The memory 614 may be used for storing programs and data duringoperation of the computing system 600. For example, the memory 614 maystore one or more HTTP network logs, a connectivity matrix, and/or oneor more general data representations. Thus, the memory 614 may be arelatively high performance, volatile, random access memory such as adynamic random access memory (DRAM) or static memory (SRAM). However,the memory 614 may include any device for storing data, such as a diskdrive or other non-volatile storage device, such as flash memory orphase-change memory (PCM).

Components of the computing system 600 may be coupled by aninterconnection element such as the bus 608. The bus 608 may include oneor more physical busses (for example, busses between components that areintegrated within a same machine), and may include any communicationcoupling between system placements including specialized or standardcomputing bus technologies. Thus, the bus 608 enables communications(for example, data and instructions) to be exchanged between systemcomponents of the computing system 600.

Computing system 600 also includes one or more interfaces 610 such asinput devices, output devices, or combination input/output devices. Theinterface devices 610 may receive input, provide output, or both. Forexample, output devices may render information for externalpresentation. Input devices may accept information from externalsources. The interface devices 610 allow the computing system 600 toexchange information and communicate with external entities, such asusers and other systems. In some examples, the computing system 600 mayexchange HTTP network log information via the interface 610, asdiscussed above.

Storage system 612 may include a computer-readable andcomputer-writeable non-volatile storage medium in which instructions arestored that define a program to be executed by the processor. Theinstructions may be persistently stored as encoded signals, and theinstructions may cause the processor 606 to perform any of the functionsdescribed herein. A medium that can be used with various examples mayinclude, for example, an optical disk, a magnetic disk, or a flashmemory, among others. In operation, the processor 606 or some othercontroller may cause data to be read from the non-volatile recordingmedium into another memory, such as the memory 614, that allows forfaster access to the information by the processor 606 than does thestorage medium included of the storage system 612. The memory may belocated in the storage system 612 or in the memory 614. The processor606 may manipulate the data within the memory 614, and then copy thedata to the medium associated with the storage system 612 afterprocessing is completed.

Various aspects and functions in accord with the present invention mayalso be practiced on one or more computers having differentarchitectures or components than that shown in FIG. 6. For instance, thecomputing system 600 may include specially-programmed, special-purposehardware, such as for example, an application-specific integratedcircuit (ASIC) tailored to perform a particular operation disclosedherein.

Accordingly, as described herein, various aspects and examples provide anetwork security system that trains a deep learning architecture basedon a HTTP connectivity matrix extracted from one or more HTTP networklogs. One or more components of the network security system may providetraining data based on the HTTP connectivity matrix such that the deeplearning architecture may generate a general data representation of theHTTP network log. The general data representation may be used to detectone or more discordant network activities within the HTTP log. Suchexamples may be used to protect a network, client, and/or host againstmalicious activity and/or behavior. In contrast to typical networksecurity systems that rely on blacklists or whitelists to monitornetwork activity, various aspects and implementations described hereinactively adapt to learn and predict malicious activity and behavior.

Having described above several aspects of at least one example, it is tobe appreciated that various alterations, modifications, and improvementswill readily occur to those skilled in the art. Such alterations,modifications, and improvements are intended to be part of thisdisclosure and are intended to be within the scope of the invention.Accordingly, the foregoing description and drawings are by way ofexample only, and the scope of the invention should be determined fromproper construction of the appended claims, and their equivalents.

What is claimed is:
 1. A network security system comprising: a systeminterface to receive a Hypertext Transfer Protocol (HTTP) network logfor a single user, the HTTP network log including a matrix of dataarranged by at least one field and a time bin; and a processorconfigured to execute: a feature extraction component coupled to thesystem interface, the feature extraction component configured to extracta connectivity matrix from the HTTP network log based at least in parton a recurring behavioral pattern within the matrix of data, a sourceInternet Protocol (IP) address of the single computer user, one or moredestination IP addresses, and the time bin, wherein a value within eachcell of the connectivity matrix indicates a number of connectionsbetween at least the source IP address of the single computer user andan individual destination IP address of the one or more destination IPaddresses; a training module coupled to the feature extractioncomponent, the training module being configured to interpolate valuesinto zero-valued cells in the connectivity matrix and provide deeplearning architecture training data based on the connectivity matrix; adeep learning architecture having one or more layers, the deep learningarchitecture configured to receive the deep learning architecturetraining data and propagate the deep learning architecture training datathrough the one or more layers to train the one or more layers, and thedeep learning architecture being configured to receive the HTTP networklog and generate a general data representation of the HTTP network log;and a behavior analytics component coupled to the deep learningarchitecture and configured to detect a discordant network activitywithin the HTTP network log based on the general data representation ofthe HTTP network log.
 2. The network security system of claim 1, whereinthe deep learning architecture is a stacked autoencoder, each layer ofthe one or more layers being a sparse autoencoder.
 3. The networksecurity system of claim 1, wherein the behavior analytics component isconfigured to detect the discordant network activity in the HTTP networklog by detecting a deviation from the recurring behavioral pattern. 4.The network security system of claim 3, wherein the recurring behavioralpattern is a reoccurring connection between a source Internet Protocol(IP) address and a destination IP address.
 5. The network securitysystem of claim 1, wherein the behavior analytics component is furtherconfigured to classify contents of the general data representation ofthe HTTP network log as human-initiated activity or machine-initiatedactivity, and wherein the discordant activity within the HTTP networklog is a first machine-initiated activity.
 6. The network securitysystem of claim 5, wherein the HTTP network log is a HTTP network logfor a plurality of computer users, and wherein the behavior analyticscomponent is further configured to group each of the plurality ofcomputer users within one of a plurality of user classes based on thecontents of the general data representation of the HTTP network log. 7.A method of monitoring network activity, the method comprising:receiving a Hypertext Transfer Protocol (HTTP) network log for a singleuser, the HTTP network log including a matrix of data arranged by atleast one field and a time bin; extracting a connectivity matrix fromthe HTTP network log based at least in part on a recurring behavioralpattern within the matrix of data, a source Internet Protocol (w)address of the single computer user, one or more destination IPaddresses, and the time bin, wherein a value within each cell of theconnectivity matrix indicates a number of connections between at leastthe source IP address of the single computer user and an individualdestination IP address of the one or more destination IP addresses;interpolating values into zero-valued cells in the connectivity matrix;providing deep learning architecture training data to a deep learningarchitecture, the deep learning architecture training data being basedon the connectivity matrix; receiving the deep learning architecturetraining data at the deep learning architecture, and propagating thedeep learning architecture training data through one or more layers ofthe deep learning architecture to train the one or more layers; at thedeep learning architecture, generating a general data representation ofthe HTTP network log; and detecting a discordant network activity withinthe HTTP network log based on the general data representation of theHTTP network log.
 8. The method of claim 7, further comprisingclassifying contents of the general data representation of the HTTPnetwork log as human-initiated activity or machine-initiated activity,and wherein the discordant activity within the HTTP network log is afirst machine-initiated activity.
 9. The method of claim 7, whereinreceiving the HTTP network log includes receiving a HTTP network log fora plurality of computer users.
 10. The method of claim 9, furtheringcomprising grouping each of the plurality of computer users within oneof a plurality of user classes based on the contents of the general datarepresentation of the HTTP network log.
 11. The method of claim 7,wherein detecting the discordant internet activity in the HTTP networklog includes detecting a deviation from the recurring behavioralpattern.
 12. The method of claim 11, wherein the recurring behavioralpattern is a reoccurring connection between a source Internet Protocol(IP) address and a destination IP address.